where <rnd2> is a random sequence of the Latin alphabet letters, for example "zaberg".

The worm runs a thread which controls the worm’s executable file integrity. If the worm detects its file modifications, it zeros-out the first 63 sectors of any hard drive including MBR (Master Boot Record), and prompts the following message:

At the attacker’s command, the worm can perform the UDP and SYN flood attacks and log the FTP and POP server activity, as well as block and redirect the web resource access.

Propagation

The worm registers a device notification with the help of RegisterDeviceNotification, so it is notified when a USB device is plugged; and it then starts infecting the system.

The worm copies itself to the USB device plugged into the affected computer with a randomly generated name. The "AutoRun.inf" file is added as well in the root folder of the infected computer. The worm’s copy launches the file for execution each time the user opens the infected USB drive by Windows Explorer. Those files are created as hidden. In addition, the worm copies itself with a random name (for example "2bc58ef0.exe") to the created "Recycler" folder. Its downloaded modules and the "Desktop.ini" file are stored in the folder as well. The "Desktop.ini" file has the following content:

[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}

which allows to register the folder as Recycle Bin folder.

All folders of the drive’s root directory are marked as hidden. Link files referring to the worm’s body are created with the hidden folders’ names.

In addition, the worm is spread via social networks: Bebo, Vkontakte, Twitter, Facebook by replacing messages sent by the user and adding a link to the worm’s executable file.

The worm infects HTML pages on the compromised FTP servers by adding a hidden frame with a link to the worm’s body.

Removal Recommendations

Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).

Delete files:

%Documents and Settings%\%Current User%\%AppData%\<rnd>.exe%Documents and Settings%\%Current User%\%AppData%\<rnd>.scr%Documents and Settings%\%Current User%\%AppData%\2.exe%Documents and Settings%\%Current User%\%AppData%\3.exe%Documents and Settings%\%Current User%\%AppData%\4.exeC:\RECYCLER\S-1-5-21-02433556031-8888888379-781863308\<rnd2>.exe